05:12 GMT14 June 2021
Listen Live
    Get short URL
    0 39

    The 19-year-old exploited security weaknesses in a government website to gain access to thousands of records, including people’s personal data.

    A Canadian teenager is facing trial and up to a decade in prison after being charged with “unauthorized use of a computer”. On April 11, Nova Scotia police raided the home of the unnamed 19-year-old, who lives with his parents and siblings and is completing his secondary education. They arrested the young man, questioned his brother and sister and seized the family’s computers, preventing the father from doing his job.

    Nova Scotia Premier Stephen McNeil defended the charge as appropriate because in his view the teenager “stole” the documents from the province’s Freedom of Information and Protection of Privacy (FOIPOP) website. The records included personal data of thousands of Nova Scotians including dates of birth, addresses and social security numbers.

    'I Thought It Was Free to Just Download'

    The breach was discovered by accident early in April when a government official realised that a typing error in the number at the end of the website’s URL gave them access to documents they did not have the permissions to view. The provincial government took down the web portal and during their investigation they found that someone had downloaded the records off the site, and called Halifax’s Regional Police.

    In an interview the teenager argued that he had done nothing wrong, saying that he wanted to learn about the government’s labor troubles with teachers. He went to the FOIPOP website, couldn’t find what he was looking for and while playing around on the site discovered that he could download other documents. The personal information had not yet been redacted, so the files should not have been available to the public. The teenager, not realising that the records should not have been accessible, wrote a script to scrape the site for all 7,000 available files.

    The young man said that he didn’t realise the documents were not publicly available yet. He told CBC News, “I didn’t do anything to try to hide myself. I didn’t think any of this would be wrong if it’s all public information. Since it was public, I thought it was free to just download, to save.”

    'Highly Questionable'

    Sputnik spoke with Brenda McPhail of the Canadian Civil Liberties Association, who pointed out that the offence, “requires that the accused must have acted fraudulently and had an intent to commit an offence.”

    She pointed out that the teenager obtained the information simply by entering URLS, continuing, “He didn’t hack a password, he didn’t create a backdoor, there was no subterfuge or hiding his tracks: he simply went on a public website and downloaded documents using a series of sequential URLs. The charge is highly questionable in this case.”

    Executive Director of the Centre for Law and Democracy Toby Mendel largely agreed, saying that, “The response was clearly excessive, although there is a question mark about how innocent the action was.” He advised caution, explaining, “In terms of the prosecution, it seems likely that the individual in question lacked the requisite intent – which is fraudulent intent — for the offence he has been charged with, but we cannot know this with certainty yet.”

    Steven Aftergood, the Director of the Federation of American Scientists Project on Government Secrecy commented, “The case reflects a growing anxiety about the security of computer systems, and the vulnerability of personal information to unauthorized exposure. Even if the teen's motives were innocent, that may be little comfort to those whose personal data was compromised.”

    Indeed, the authorities delayed releasing any information about the breach, with Internal Services Minister Patricia Arab claiming, “We wanted the person responsible for this to not know that we knew that this had happened. We needed to let Halifax Regional Police do their job and couldn’t compromise the nature of their investigation.” The Superintendent of the police force Jim Perrin said that his officers made no such request and Arab withdrew her statement, leading to calls for her to resign.

    'There Should Be a Public Investigation'

    McPhail argued that the bigger issue is the “failure of the site to protect private, sensitive personal information properly,” saying, “There should be a public investigation, and a public accounting” for the mistakes. She highlighted “key questions” including, “Was there a security testing/audit process? Who was responsible for signing off on the site design including security?”

    While Mendel expressed doubt that anyone in the government “had the requisite intent to face charges,” over the failure to protect citizens’ data, he thinks that, “It is possible that some civil servants may yet face disciplinary measures or at least career-related measures (i.e. lack of promotion).” Mendel continued, “I am not even sure that there is a clear legal obligation to adequately protect personal data, although of course there should be.”

    Mendel went on, “The details as to how it came about that security was so poor are yet to emerge. Significantly, no financial data (e.g. credit card details) was lost, so obviously they had a system for protecting that (meaning they could have put in place proper security for the rest of it).” McPhail commented on the lack of adequate security, saying, “The public would be better served by an open and transparent investigation to get to the bottom of those questions than by prosecuting someone who inadvertently stumbled over the design flaw.”

    Aftergood summed up, “A lengthy jail term would not be a sensible response. Instead, a wise judge might order the teenager to use his skills to help improve the security of government websites. This kind of sentence could serve the interests of all parties in a constructive way.”

    The views of the speaker do not necessarily reflect those of Sputnik.

    The views and opinions expressed in the article do not necessarily reflect those of Sputnik.

    Centre for Law and Democracy, Canadian Civil Liberties Association, police, Nova Scotia, Halifax, Canada
    Community standardsDiscussion